Gamaredon Group Launches Cyberattacks Using Telegram Against Ukraine

Gamaredon, a Russian state-sponsored cyber espionage group, has continued its digital assault against Ukraine, with recent attacks using the popular messaging app Telegram to target the country’s military and law enforcement.

In a report shared with The Hacker News, the BlackBerry Research and Intelligence Team stated, “The Gamaredon group’s network infrastructure relies on multi-stage Telegram accounts for victim profiling and confirmation of geographic location, and then leads the victim to the next stage server for the final payload.” This method of infecting target systems is novel.

Since at least 2013, Gamaredon, also known as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and Winterflounder, has been known for its attacks against Ukrainian entities.

During the Russo-Ukrainian conflict, Unit 42 of Palo Alto Networks disclosed the threat actor’s unsuccessful attempts to break into an unnamed petroleum refining company in a NATO member state.

The threat actor has employed Ukrainian government-issued Microsoft Office documents as bait in spear-phishing emails that deliver malware capable of stealing sensitive data.

These documents, when opened, load a malicious template from a remote source (a technique known as remote template injection), thereby circumventing the requirement to enable macros to breach target systems and spread the infection.

The most recent findings from BlackBerry indicate an evolution in the group’s strategy, as a hard-coded Telegram channel is used to retrieve the IP address of the server hosting the malware. The IP addresses are periodically changed to avoid detection.

To accomplish this, the remote template is designed to retrieve a VBA script, which then drops a VBScript file that connects to the IP address specified in the Telegram channel to retrieve the next stage – a PowerShell script that reaches out to a different IP address to obtain a PHP file.

This PHP file is tasked with contacting a second Telegram channel to retrieve a third IP address containing the final payload, which is a piece of information-stealing malware that Cisco Talos disclosed in September 2022.

Notably, the heavily obfuscated VBA script is only delivered if the IP address of the target is located in Ukraine.

“The threat group changes IP addresses dynamically, making it more difficult to automate analysis using sandbox techniques after the sample has aged out,” BlackBerry explained.

“The fact that the suspect IP addresses only change during working hours in Eastern Europe strongly suggests that the threat actor operates from a single location and most likely belongs to an offensive cyber unit that conducts malicious operations against Ukraine.”

The Computer Emergency Response Team of Ukraine (CERT-UA) has attributed a destructive malware attack against the National News Agency of Ukraine to the Russia-affiliated hacking group Sandworm.

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus
380K Kubernetes API Servers Exposed to Public Internet

May 20, 2022

More than 380,000 of the more than 450,000 servers hosting the open-source container-orchestration engine for managing cloud deployments permit access in some form. Researchers have discovered that more than 380,000 Kubernetes API servers provide access to the public internet, making…

Thousands Of Citrix Servers May Be Vulnerable To Attack

December 30, 2022

Many servers remain unpatched, researchers are warning. Numerous Citrix ADC and Gateway servers continue to be susceptible to critical vulnerabilities that were reportedly patched by the company weeks ago, according to experts. Citrix discovered and patched an “Unauthorized access to…

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of